Abstract
The Infineon SLE 88 is a smart card processor that offers strong protection mechanisms. One of them is a memory management system, typically used for sandboxing application programs dynamically loaded on the chip. High-level (EAL5+) evaluation of the chip requires a formal security model.
We formally model the memory management system as an Interacting State Machine and prove, using Isabelle/HOL, that the associated security requirements are met. We demonstrate that our approach enables an adequate level of abstraction, which results in an efficient analysis, and points out potential pitfalls like non-injective address translation.
Chapter PDF
References
Atmel, Hitachi Europe, Infineon Technologies, and Philips Semiconductors. Smartcard IC Platform Protection Profile, Version 1.0 (July 2001), http://www.bsi.de/cc/pplist/ssvgpp01.pdf
Atmel, Hitachi Europe, Infineon Technologies, and Philips Semiconductors. Smartcard Integrated Circuit Platform Augmentations, Version 1.0 (March 2002), http://www.bsi.de/cc/pplist/augpp002.pdf
Common Criteria for Information Technology Security Evaluation (CC), Version 2.1, ISO/IEC 15408 (1999)
Lotz, V., Kessler, V., Walter, G.: A Formal Security Model for Microprocessor Hardware. In: Wing, J.M., Woodcock, J.C.P., Davies, J. (eds.) FM 1999. LNCS, vol. 1708, pp. 718–737. Springer, Heidelberg (1999)
Lynch, N., Tuttle, M.: An introduction to input/output automata. CWI Quarterly 2(3), 219–246 (1989), http://theory.lcs.mit.edu/tds/papers/Lynch/CWI89.html
Motre, S., Teri, C.: Using B method to formalize the Java Card runtime security policy for a Common Criteria evaluation. In: 23rd National Information Systems Security Conference (2000), http://csrc.nist.gov/nissc/2000/proceedings/toc.html
von Oheimb, D.: Interacting State Machines: a stateful approach to proving security. In: Abdallah, A.E., Ryan, P.Y.A., Schneider, S. (eds.) FASec 2002. LNCS, vol. 2629, pp. 15–32. Springer, Heidelberg (2003), http://ddvo.net/papers/ISMs.html
von Oheimb, D., Lotz, V.: Formal Security Analysis with Interacting State Machines. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 212–228. Springer, Heidelberg (2002), http://ddvo.net/papers/FSA_ISM.html ; A more detailed journal version is submitted for publication
von Oheimb, D., Lotz, V.: Generic Interacting State Machines and their instantiation with dynamic features. In: Dong, J.S., Woodcock, J. (eds.) ICFEM 2003. LNCS, vol. 2885, pp. 144–166. Springer, Heidelberg (2003) (to appear), http://ddvo.net/papers/GenISMs.html
Paulson, L.C.: Isabelle: A Generic Theorem Prover. LNCS, vol. 828. Springer, Heidelberg (1994), http://isabelle.in.tum.de/
Paulson, L.C., Nipkow, T., Wenzel, M., et al.: The Isabelle/ HOL library, http://isabelle.in.tum.de/library/HOL/
Schellhorn, G., Reif, W., Schairer, A., Karger, P., Austel, V., Toll, D.: Verification of a formal security model for multiapplicative smart cards. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895. Springer, Heidelberg (2000)
Walter, G., Noller, J.: Infineon. SLE88CX720P / m1491 Security Target. Version 1.00 (March 2003), http://www.bsi.de/???0215???
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
von Oheimb, D., Walter, G., Lotz, V. (2003). A Formal Security Model of the Infineon SLE 88 Smart Card Memory Management. In: Snekkenes, E., Gollmann, D. (eds) Computer Security – ESORICS 2003. ESORICS 2003. Lecture Notes in Computer Science, vol 2808. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-39650-5_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-39650-5_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20300-1
Online ISBN: 978-3-540-39650-5
eBook Packages: Springer Book Archive